Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Orome1 writes "In the last couple of decades, we have become so accustomed to the idea that the public portion of our everyday life is watched and recorded — in stores, on the street, in institutions — that we often don't even notice the cameras anymore. Analog surveillance systems were difficult to hack into by people who lacked the adequate knowledge, but IP cameras — having their own IPs — can be quite easily physically located and their stream watched in real-time by anyone who has a modicum of computer knowledge and knows what to search for on Google."

I had bookmarked that post when I originally read it, so there was absolutely no need for me to "go through there" for any other reason than to contribute to this discussion. To presume otherwise is a reflection of your personal prejudice.

Does it in any way effect the operation of the camera or of the security system attached to it?

Actually it does. Most cameras have a limit of how many simultaneous connections are allowed. Exceed that limit and the owner might have to reboot the camera in order to access their own video feed. Bad news if that camera's looking at the door of your emergency room or your unmanned warehouse half a continent away.

But how many are gonna actually want to spend any time staring at these things? Most of us here have tried that VERY old trick and found out the insidious truth...that most of these things are about as exciting as watching paint dry. Just for the hell of it when I saw TFA I did the usual old tricks and out of 30 or so cams I checked out the most exciting thing I saw was a guy turn his snowmobile around in a parking lot. Woo hoo!

Frankly there isn't a point in securing 99.999% of these things because they are

If it can supply a video feed, then perhaps a video feed can be supplied to it, overriding what the camera itself is sending. Loop in yesterday's stream a-la Speed [imdb.com] and viola... trackless break-in opportunity.

9/11/2001: I was working for a newspaper and since most of the usual communication lines were jammed, etc. I was put on the mission to find an open webcam in NYC. I found one on top of Empire State Building that gave us a fairly clear shot that we used for our piece on the subject. That was 2001 so this is ooooooold news..

Although I was only watching the video [of a set of three red-light cameras that I pinpointed to an intersection in eastern Texas], the fact was that I had accessed a set of public security cameras that were left wide open for anyone to get in.

Because he accessed the feed through the back door, he probably didn't see the welcome mat on the front door. Many jurisdictions put traffic cameras (which are not the same as 'security cameras') online intentionally so people can pla

I know you're joking, but they really shouldn't be used on a publicly accessible network. The building I was working at had analog ones which were on their own set up. I'm not sure why it would be such a deal to set up those IP cameras to use their own private network. Which they really should be anyways because if you care about it enough to point a camera at it, then you should care enough about it to not want other network use to affect it.

Just an FYI, as someone who does this for a living, most of our competition leaves their cameras at the factory default usernames and passwords. Try root, admin or Admin as usernames, and root, admin, pass, 1234, 12345 or just plain blank as passwords. Some of the manufacturers are getting a clue and requiring a password be created on first login in the newer firmware, but most of these bozos are just putting in the old factory default again.

Glad I work for one of the few security companies that doesn't have its head up its collective ass. I'd really hate working for one of the Big Three.

Horrible practice, however I would imagine that many of these jobs are contract installs. If no one is around to create and keep the password I can understand how some installers would not change it as it then becomes their obligation to store the password. More of a headache, but as a security business this is laughable!

And why would a computer security firm contract install webcameras? If it's one of those CCTV replacement systems I've read about (and not just webcameras existing for some other reason), wouldn't you get a package deal with remote monitoring and management from the "physical security" firm? Unless they bought one or rigged up one themselves and thought "oh, we'll handle it ourselves".

But still, it sounds completely insane. I knew the IT security industry was full of crazy, but this is just surreal. Insi

What amazes me are the IT staffers that actively avoid any knowledge or involvement with the same system that secures their server room and data closets. I had one fellow actually say, "I don't know anything about that server, and I don't want to know anything about that server." When I kept talking he learned that he had a Win2K SP2 system on their network with an unpatched SQL2000 database, no backup, no virus scan, and Internet access that auto-logged on as Administrator. We have to clean up crap like

I've never done this sort of work, but I suppose they operate on or have degenerated to the principle "if we just keep telling the management what they want to hear and don't expose too much incompetence in the IT staff we get paid with a minimum of fuzz, even if we could technically fix this"?

How do you guys handle situations like that? Ever had any problems when actually telling the management/client? Or is it all cool and professional?

Essentially I tell my boss, and he talks to their boss. Normally we can do most of our own work on the end points without too much trouble (servers, cameras, access control panels, etc.), and I go out of my way to let them know that I'll be as flexible as they need and want to inconvenience them as little as possible. Works most of the time.

Not always though. We have one customer where I just plain can't talk to the network admins directly because I inadvertantly showed them up as a clot of incompetent

That often come down to "it was somebody else's incredibly stupid idea I argued against and when it breaks we can have something sensible". Childish but understandable. The responsible thing to do is have unauthorised backups for when such pet projects die instead of just ignoring them. Without a decent boss and a long history of trust in your workplace this can land you in deep shit if discovered, but the shit could be deeper if you don't do it, the pet project breaks and the owner of the pet project do

My version of your 'unauthorized backup' is a scheduled SQL script that backs up to a flash drive hidden in the back of the server. That way when the controller corrupts the entire RAID array I can still recover the system. I only do it in places where I can't trust the IT staff, but it's already paid for itself twice.

Because then they can figure out ways of obscuring themselves more effectively. Which is the problem, additionally you frequently run into dome cameras where you're not sure where exactly they're pointed. With practice you can see very quickly, but it's a bit of a risk.

You can tell how wide the field of view of a camera mounted 30 feet up is just by looking at it? I think it would be rather helpful when planning a robbery/murder/whatever to know exactly where the cameras are looking instead of having just a general idea. Plus getting this information online reduces your risk of being recognized from having cased the location in person.

Ahh see, now looking in on an open webcam is one thing - with a good lawyer you probably wouldn't make it to court. Trying to break into one that is secured by a password (even a shitty password) is criminal pretty much everywhere.

Where did you say you worked again? Failing that, who was the "competition"? I know that you know these are rhetorical questions, but if you DID get caught one day I'm sure you wouldn't be able to hide behind the "security researcher" excuse for long.

At the University where I work, there are cameras in all of the lobby areas and in many of the labs. They are publicly accessible, for the most part - non-port 22 but otherwise unsecured. However, because the University wants to be able to use the pictures in legal proceedings, all the camera areas are clearly marked with "Video Surveillance" stickers.

I can't speak for anyone else, but it's not that hard to just not do funky things in these areas.

Yes, it intrudes on my sphere, but I have no expectation of privacy at work, or on the street. If I want to do something private, I go somewhere private. It's not that much of a burden, at least to me.

What are you, some sort of Religious prude? Come on, really get with the times. Not only are you supposed to do it public, you are supposed to use video cams and upload your exploits to PornTube or other video sharing sites. No judging going on there, as whatever you're into, you're not alone!

Yes, it intrudes on my sphere, but I have no expectation of privacy at work, or on the street. If I want to do something private, I go somewhere private. It's not that much of a burden, at least to me.

What happens when cameras - and the databases behind them - become so pervasive that you can't go anywhere without a permanent record being made?Its one thing for some people on the street to see you walk to the corner drug store and buy a pack of condoms.Its an entirely different thing for that to be recorded and cross-indexed with everything else you've done outside of your home.

Now all I need is to have the IP address of my local red light and speed cameras.

Of course, I would never have any fun and do something like, changing the time, moving the camera, replacing drivers' faces with pictures of say, maybe Osama Bin Laden, Benjamin Franklin, or the president.

If they're stupid enough to leave an unsecured camera with a public IP address out there for the world to access, then they're probably too stupid to have effective tracking software to figure out who you are and where you're doing it from.

If the streams were secured, there'd be a monopoly or oligopoly of the information thereof, paving way for police states. As long as it's publicly accessible (though it should be properly accounted and publicly listed) it's common knowledge to be leveraged by all. Want to check whether your friends are hanging at their usual place? Check it out from the live stream. Want to see how it's like to live on the other side of the world? Want to follow an uprising in Tunisia? Likewise.

Yes. The inequality of information access is usually why we worry about privacy. We are quite comfortable operating in public places. It's the selective and unaccountable use of information about us that freaks people out.

Information that is truly public isn't nearly as scary as information which is selectively used by people working in secret. Most corporations, of course, prefer that the data you turn over remains entirely private. And we have no corresponding view into the corporation's inner workings (F

The annoying thing is that if someone just looked at one of these publicly accessible, unauthenticated streams they coud potentially be charged for computer misuse or whatever else their jurisdiction's generic 'hacking' offense is. There really needs to be some higher bar on those laws sometimes.

I found many online cameras 3-4 years ago, but things seem to have changed. For example, the Ars Technica article, referenced earlier, says "Change the search to “intitle: ‘Live View / - AXIS 206M,’” though, and Google returns 3 pages of links to 206Ms that are online and viewable." But when I try this, I only get spam websites and articles telling you "how to use Google to find online cameras".

that says that if a government is installing security cameras in a public location that the feeds from those cameras have to be publicly accessible, via the web, and no getting around this by hiring a contractor to install a camera and then claiming that the feed is private. This wouldn't be a total solution to the problem of stupid bureaucrats indulging paranoid morons by installing cameras everywhere, but it would slow things down and it would reduce the asymmetry of information between the government and

So what do you suggest when 500 people are all trying to access the camera at the Park & Ride where the was a suicide and the camera only allows 20 connections? Will the police and security guards just have to wait their turn, hitting Refresh until they get lucky? How are you going to keep the script kiddies out of the admin settings? Is bandwidth free on your planet? Sorry, but that post just has 'BAD IDEA' written all over it.

They can be overcome relatively easily by the customer's IT staff, but IT doesn't want anything to do with these systems and we, the security contractor, don't have the access to their network and servers to set it up. You have no idea how much resistance we run into just putting a simple access control system on the network, much less a camera system, and we're supposed to also get them to create/maintain a web site to that equipment? In your dreams.

I had the OSX version of surveillancesaver installed on my mac, but when I upgraded to Snow Leopard it quit working. Found out it was written in Quartz, so I re-compiled it with the new version, and got it working again.

Then I found out that the guys who wrote the original went on to found the Public Viewpoint Project, which searches for publicly available webcams and creates an RSS feed. I can't find their web site anymore, but the RSS feed is still up. I added to the screen saver the ability to connect to

The president where I work has been hounding my tail to get IP cameras in the building. He doesn't want them isolated to our internal LAN. He wants them to have a public IP address so he can connect to them from any browser in the world. He wants to be able to peek in and see what is going on at any hour of the day.

Tell him he can have what he wants if he antes up for a dedicated VPN or equivalent "front end login" that doesn't expose the cameras or the control computer directly to the Interweb.

You might also gain some traction if your state or country's employment laws would put the company or its officers at risk for violating employee privacy if they put the cameras on the web without adequate security. Heck, if the lawyer says doing this puts YOU at risk then that's the ultimate trump card.

Go with Axis cameras and set up NAT Transversal. Pretty easy to do and unless someone knows which port to use (configurable) they won't be able to get at the cameras at all. Then make sure that Anonymous Viewing is turned off and give him a View Only login and password. We have a customer with a very rural facility that he sublets space in. His customers need to be able to see weather conditions before they try to send people out to the site, so they can put in the address of his DSL router with the por

We (security companies) have to use the addresses that our client's network admin gives us. If they're stupid we end up putting it on a subnet that's accessable from outside (how is it that so many terminally stupid people have CCIE after their name?) If they're stupid and cheap we may even have to put them on the Internet without even a VPN tunnel. If that happens we at least use an alternate port number, but most of our competition isn't that bright.

So what if they are on google, most are empty until action happens, and the timing needed to be on at the same time action happens, is too small to even bother...unless it was inside a shower, then you pay per view....however, a camera set up outside someones home to log each entry into a house is pretty wasteful to watch...who cares if you can see what they see....as long as you cant reconfigure it,...

A while back I ran across the SurveillanceSaver project - a simple screen saver which contained a small list of webcams it would cycle through. I had the OSX version installed on my mac, but when I upgraded to Snow Leopard it quit working. Found out it was written in Quartz, so I re-compiled it with the new version, and got it working again.

Then I found out that the guys who wrote it went on to found the Public Viewpoint Project, which searches for publicly available webcams and creates an RSS feed. I ca

Since I first arrived in La Jolla, CA (92037) and noticed the little black domes darn near everywhere I theorized that, whether or not different subcontractors manage the security contract for any individual location, there is some overseer--either official or sitting on a network intersection--who has access to all of them. They probably have a FPS/MMORPG type interface which they are able to use to follow any particular person around should any particular person happen to catch their special interest. G

My senior seminar project as a CS undergrad (2005) was the creation of a motion sensing surveillance system. Part of the demonstration I did during the presentation was to show how my software could monitor cameras from around the world for motion. In many cases I had no idea where the cameras were physically located. Later as part of my Masters thesis (2010), I extended the software to include face recognition... now it can identify "John Doe" and you can have it tell you when it see's specific people in a

My city has several cameras around the city available for access at the city's taxpayer-funded website. I decided to use them once to create some time-lapse video of the wax and wane of winter weather. One day, suddenly I couldn't access the cams anymore. Or the entire website. They unilaterally decided that I was using too much of their bandwidth and dropped my IP into a configuration file to disable my access, expecting me to go to them to get my access reinstated. Of course, all information on how to contact them was on their now-restricted website.

The amount of data transferred was less than 1 DVD a month. It wasn't that the usage was excessive; it was that my usage was an identifiable spike. But instead of limiting how often you can pull frames from the cameras (I used 1 every 30 seconds, sub-SD resolution, in greyscale, but from every camera), they instead decided to lock me out. (They also say they don't retain the video they record.)

Unfortunately, since I was grabbing these still images using my machine at work, and others at work were just monitoring the cameras in preparation for travel home, they saw it as coming from multiple IPs in the same subnet and blocked the company's entire IP range, which became a problem when the head of HR was needing to do background checks on some potential new hires on the city website.

Now if I want to do time-lapse videos of traffic cams again, I'm going to have to do it from home and through Tor so they can't identify one IP block. Even though there's some nice snowfall patterns recently, it just isn't worth the effort/hassle to satisfy my creative curiosity now.

We do a similar thing with a few remotely located cameras. In this case, it's a webcam aimed at a river with a proposed hydroelectric development. The purpose of the camera is for ice monitoring. It takes photos hourly and is connected via satellite modem.

Weird how even not reading names I can tell it's one of your sock puppets. You need to develop a better trolling technique. You're not as amusing as the GNAA or trying to hide goatse into everything and that's saying something.

And stay away from the low-bid vendors when dealing with security - they're coming in with the lowest price for a reason. My employer will always lose on a price-only proposal. The customer frequently ends up spending more to have us or AC come in and clean up the mess left behind. Three times in the last two months I've had a new customer tell me that the first thing they want me to do, before anything else, is remove Company-X (one of the Big Three) from their system.